Aggregate inline deduplication with volume granular encryption

ABSTRACT

Techniques are provided for aggregate inline deduplication and volume granularity encryption. For example, data that is exclusive to a volume of a tenant is encrypted using an exclusive encryption key accessible to the tenant. The exclusive encryption key of that tenant is inaccessible to other tenants. Shared data that has been deduplicated and shared between the volume and another volume of a different tenant is encrypted using a shared encryption key of the volume. The shared encryption key is made available to other tenants. In this way, data can be deduplicated across multiple volumes of different tenants of a storage environment, while maintaining security and data privacy at a volume level.

RELATED APPLICATION

This application claims priority to and is a continuation of U.S.application Ser. No. 16/354,562, filed on Mar. 15, 2019, now allowed,titled “AGGREGATE INLINE DEDUPLICATION WITH VOLUME GRANULAR ENCRYPTION,”which is incorporated herein by reference.

BACKGROUND

Tenants of a storage environment, such as a cloud storage environment ormultitenant environment, can connect to the storage environment usingtenant devices. The tenants can use the tenant devices to store andaccess data within the storage environment. The storage environment mayisolate data of a tenant from data of other tenants. For example, afirst volume may be created for a first tenant. The storage environmentmay restrict access to the first volume to only the first tenant. Asecond volume may be created for a second tenant. The storageenvironment may restrict access to the second volume to only the secondtenant. Even though data of multiple tenants may utilize the sameresources, the data is isolated so that tenants can only access theirown data. In an example, data of each volume is encrypted with anencryption key of a tenant whose data is stored in that volume. Thus,each tenant has their own encryption key used to encrypt volumes withinwhich that tenant's data is stored. These encryption keys are not sharedwith other tenants. Unfortunately, data cannot be deduplicated acrossvolumes of different tenants because each volume of a tenant isencrypted with an encryption key only accessible to that tenant. Thissignificantly wastes storage resources of the storage environmentbecause data cannot be deduplicated across volumes of different tenants.

DESCRIPTION OF THE DRAWINGS

FIG. 1 is a component block diagram illustrating an example clusterednetwork in which an embodiment of the invention may be implemented.

FIG. 2 is a component block diagram illustrating an example data storagesystem in which an embodiment of the invention may be implemented.

FIG. 3 is a flow chart illustrating an example method for aggregateinline deduplication with volume granular encryption.

FIG. 4A is a component block diagram illustrating an example system foraggregate inline deduplication with volume granular encryption, whereexclusive data is encrypted using an exclusive encryption key.

FIG. 4B is a component block diagram illustrating an example system foraggregate inline deduplication with volume granular encryption, whereshared data is encrypted using a shared encryption key.

FIG. 4C is a component block diagram illustrating an example system foraggregate inline deduplication with volume granular encryption, where ashared encryption key is used to access shared data.

FIG. 4D is a component block diagram illustrating an example system foraggregate inline deduplication with volume granular encryption, where avolume is deleted.

FIG. 5 is an example of a computer readable medium in which anembodiment of the invention may be implemented.

FIG. 6 is a component block diagram illustrating an example computingenvironment in which an embodiment of the invention may be implemented.

DETAILED DESCRIPTION

Some examples of the claimed subject matter are now described withreference to the drawings, where like reference numerals are generallyused to refer to like elements throughout. In the following description,for purposes of explanation, numerous specific details are set forth inorder to provide an understanding of the claimed subject matter. It maybe evident, however, that the claimed subject matter may be practicedwithout these specific details. Nothing in this detailed description isadmitted as prior art.

A storage environment, such as a cloud computing environment ormulti-tenant environment, provides tenants with access to computing andstorage resources. For example, the storage environment may provide atenant with the ability to execute applications, instantiate and runstorage virtual servers, store data, etc. The storage environmentprovides security and privacy by isolating each tenant's data intoseparate volumes so that a tenant cannot access data of another tenant.In one example, this is accomplished by providing each tenant with theirown volume within which the tenant can store and access data. Thus, afirst tenant is provided with access to a first volume assigned to thefirst tenant, but is blocked from accessing volumes assigned to othertenants.

Operation of the storage environment may be improved if the storageenvironment implements storage efficiency functionality, such ascompression and deduplication. One type of deduplication is inlinededuplication that ensures blocks are deduplicated before being writtento a storage device. Inline deduplication uses a data structure, such asan incore hash store, which maps fingerprints of data to data blocks ofthe storage device storing the data. Whenever data is to be written tothe storage device, a fingerprint of that data is calculated and thedata structure is looked up using the fingerprint to find duplicates(e.g., potentially duplicate data already stored within the storagedevice). If duplicate data is found, then the duplicate data is loadedfrom the storage device and a byte by byte comparison may be performedto ensure that the duplicate data is an actual duplicate of the data tobe written to the storage device. If the data to be written is aduplicate of the loaded duplicate data, then the data to be written todisk is not redundantly stored to the storage device. Instead, a pointeror other reference is stored in the storage device in place of the datato be written to the storage device. The pointer points to the duplicatedata already stored in the storage device. In this way, inlinededuplication is able to deduplicate data before the data is written todisk. This improves the storage efficiency of the storage device.

Operation of the storage environment would also be improved if securityand data encryption is used to provide a level of security expected bytenants. For example, data of a tenant may be stored within a volume.The data may be encrypted with a key of the tenant that is not sharedwith other tenants. Thus, only that tenant can access the tenant's datawithin the volume. In this way, volume level encryption may beimplemented.

Unfortunately, when volume level encryption is used, there is no way toperform deduplication across volumes. Deduplication can only beperformed within a volume. This is because each volume has its ownexclusive encryption key that is only accessible to a tenant owning thatvolume. The inability to perform deduplication across volumessignificantly reduces the storage benefits of deduplication andoperation of the storage environment.

Accordingly, as provided herein, aggregate inline deduplication withvolume granular encryption is implemented for the storage environment.Aggregate inline deduplication is performed at an aggregate level thatcan include deduplicating data across multiple volumes owned bydifferent tenants. This is because the volume granular encryption uses ashared encryption key and an exclusive encryption key per volume forencrypting data. The exclusive encryption key is used to encrypt data ofa volume that is exclusive to that volume (e.g., data not comprisedwithin other volumes). The exclusive encryption key is only accessibleto the tenant owning that volume. The shared encryption key is used toencrypt data shared between the volume and other volumes. Other volumesof other tenants (e.g., storage services of the storage environment usedto provide other tenants with access to data) are able to access and usethe shared encryption key to access the shared data. Thus, if shareddata is stored within the volume of the tenant and is referenced due toinline deduplication by a second volume of a second tenant, then theshared data is accessible to the second tenant by using the sharedencryption key. Thus, when the second tenant requests a file comprisingthe shared data, a storage service of the storage environment can usethe shared encryption key to decrypt the shared data within the volumeof the tenant in order to make the file accessible to the second tenant.

To provide for aggregate inline deduplication with volume granularencryption, FIG. 1 illustrates an embodiment of a clustered networkenvironment 100 or a network storage environment. It may be appreciated,however, that the techniques, etc. described herein may be implementedwithin the clustered network environment 100, a non-cluster networkenvironment, and/or a variety of other computing environments, such as adesktop computing environment. That is, the instant disclosure,including the scope of the appended claims, is not meant to be limitedto the examples provided herein. It will be appreciated that where thesame or similar components, elements, features, items, modules, etc. areillustrated in later figures but were previously discussed with regardto prior figures, that a similar (e.g., redundant) discussion of thesame may be omitted when describing the subsequent figures (e.g., forpurposes of simplicity and ease of understanding).

FIG. 1 is a block diagram illustrating the clustered network environment100 that may implement at least some embodiments of the techniquesand/or systems described herein. The clustered network environment 100comprises data storage systems 102 and 104 that are coupled over acluster fabric 106, such as a computing network embodied as a privateInfiniband, Fibre Channel (FC), or Ethernet network facilitatingcommunication between the data storage systems 102 and 104 (and one ormore modules, component, etc. therein, such as, nodes 116 and 118, forexample). It will be appreciated that while two data storage systems 102and 104 and two nodes 116 and 118 are illustrated in FIG. 1 , that anysuitable number of such components is contemplated. In an example, nodes116, 118 comprise storage controllers (e.g., node 116 may comprise aprimary or local storage controller and node 118 may comprise asecondary or remote storage controller) that provide client devices,such as host devices 108, 110, with access to data stored within datastorage devices 128, 130. Similarly, unless specifically providedotherwise herein, the same is true for other modules, elements,features, items, etc. referenced herein and/or illustrated in theaccompanying drawings. That is, a particular number of components,modules, elements, features, items, etc. disclosed herein is not meantto be interpreted in a limiting manner.

It will be further appreciated that clustered networks are not limitedto any particular geographic areas and can be clustered locally and/orremotely. Thus, in an embodiment a clustered network can be distributedover a plurality of storage systems and/or nodes located in a pluralityof geographic locations; while In an embodiment a clustered network caninclude data storage systems (e.g., 102, 104) residing in a samegeographic location (e.g., in a single onsite rack of data storagedevices).

In the illustrated example, one or more host devices 108, 110 which maycomprise, for example, client devices, personal computers (PCs),computing devices used for storage (e.g., storage servers), and othercomputers or peripheral devices (e.g., printers), are coupled to therespective data storage systems 102, 104 by storage network connections112, 114. Network connection may comprise a local area network (LAN) orwide area network (WAN), for example, that utilizes Network AttachedStorage (NAS) protocols, such as a Common Internet File System (CIFS)protocol or a Network File System (NFS) protocol to exchange datapackets, a Storage Area Network (SAN) protocol, such as Small ComputerSystem Interface (SCSI) or Fiber Channel Protocol (FCP), an objectprotocol, such as S3, etc. Illustratively, the host devices 108, 110 maybe general-purpose computers running applications, and may interact withthe data storage systems 102, 104 using a client/server model forexchange of information. That is, the host device may request data fromthe data storage system (e.g., data on a storage device managed by anetwork storage control configured to process I/O commands issued by thehost device for the storage device), and the data storage system mayreturn results of the request to the host device via one or more storagenetwork connections 112, 114.

The nodes 116, 118 on clustered data storage systems 102, 104 cancomprise network or host nodes that are interconnected as a cluster toprovide data storage and management services, such as to an enterprisehaving remote locations, cloud storage (e.g., a storage endpoint may bestored within a data cloud), etc., for example. Such a node in theclustered network environment 100 can be a device attached to thenetwork as a connection point, redistribution point or communicationendpoint, for example. A node may be capable of sending, receiving,and/or forwarding information over a network communications channel, andcould comprise any device that meets any or all of these criteria. Oneexample of a node may be a data storage and management server attachedto a network, where the server can comprise a general purpose computeror a computing device particularly configured to operate as a server ina data storage and management system.

In an example, a first cluster of nodes such as the nodes 116, 118(e.g., a first set of storage controllers configured to provide accessto a first storage aggregate comprising a first logical grouping of oneor more storage devices) may be located on a first storage site. Asecond cluster of nodes, not illustrated, may be located at a secondstorage site (e.g., a second set of storage controllers configured toprovide access to a second storage aggregate comprising a second logicalgrouping of one or more storage devices). The first cluster of nodes andthe second cluster of nodes may be configured according to a disasterrecovery configuration where a surviving cluster of nodes providesswitchover access to storage devices of a disaster cluster of nodes inthe event a disaster occurs at a disaster storage site comprising thedisaster cluster of nodes (e.g., the first cluster of nodes providesclient devices with switchover data access to storage devices of thesecond storage aggregate in the event a disaster occurs at the secondstorage site).

As illustrated in the clustered network environment 100, nodes 116, 118can comprise various functional components that coordinate to providedistributed storage architecture for the cluster. For example, the nodescan comprise network modules 120, 122 and disk modules 124, 126. Networkmodules 120, 122 can be configured to allow the nodes 116, 118 (e.g.,network storage controllers) to connect with host devices 108, 110 overthe storage network connections 112, 114, for example, allowing the hostdevices 108, 110 to access data stored in the distributed storagesystem. Further, the network modules 120, 122 can provide connectionswith one or more other components through the cluster fabric 106. Forexample, in FIG. 1 , the network module 120 of node 116 can access asecond data storage device by sending a request through the disk module126 of node 118.

Disk modules 124, 126 can be configured to connect one or more datastorage devices 128, 130, such as disks or arrays of disks, flashmemory, or some other form of data storage, to the nodes 116, 118. Thenodes 116, 118 can be interconnected by the cluster fabric 106, forexample, allowing respective nodes in the cluster to access data on datastorage devices 128, 130 connected to different nodes in the cluster.Often, disk modules 124, 126 communicate with the data storage devices128, 130 according to the SAN protocol, such as SCSI or FCP, forexample. Thus, as seen from an operating system on nodes 116, 118, thedata storage devices 128, 130 can appear as locally attached to theoperating system. In this manner, different nodes 116, 118, etc. mayaccess data blocks through the operating system, rather than expresslyrequesting abstract files.

It should be appreciated that, while the clustered network environment100 illustrates an equal number of network and disk modules, otherembodiments may comprise a differing number of these modules. Forexample, there may be a plurality of network and disk modulesinterconnected in a cluster that does not have a one-to-onecorrespondence between the network and disk modules. That is, differentnodes can have a different number of network and disk modules, and thesame node can have a different number of network modules than diskmodules.

Further, a host device 108, 110 can be networked with the nodes 116, 118in the cluster, over the storage networking connections 112, 114. As anexample, respective host devices 108, 110 that are networked to acluster may request services (e.g., exchanging of information in theform of data packets) of nodes 116, 118 in the cluster, and the nodes116, 118 can return results of the requested services to the hostdevices 108, 110. In an embodiment, the host devices 108, 110 canexchange information with the network modules 120, 122 residing in thenodes 116, 118 (e.g., network hosts) in the data storage systems 102,104.

In an embodiment, the data storage devices 128, 130 comprise volumes132, which is an implementation of storage of information onto diskdrives or disk arrays or other storage (e.g., flash) as a file-systemfor data, for example. In an example, a disk array can include alltraditional hard drives, all flash drives, or a combination oftraditional hard drives and flash drives. Volumes can span a portion ofa disk, a collection of disks, or portions of disks, for example, andtypically define an overall logical arrangement of file storage on diskspace in the storage system. In an embodiment a volume can comprisestored data as one or more files that reside in a hierarchical directorystructure within the volume.

Volumes are typically configured in formats that may be associated withparticular storage systems, and respective volume formats typicallycomprise features that provide functionality to the volumes, such asproviding an ability for volumes to form clusters. For example, where afirst storage system may utilize a first format for their volumes, asecond storage system may utilize a second format for their volumes.

In the clustered network environment 100, the host devices 108, 110 canutilize the data storage systems 102, 104 to store and retrieve datafrom the volumes 132. In this embodiment, for example, the host device108 can send data packets to the network module 120 in the node 116within data storage system 102. The node 116 can forward the data to thedata storage device 128 using the disk module 124, where the datastorage device 128 comprises volume 132A. In this way, in this example,the host device can access the volume 132A, to store and/or retrievedata, using the data storage system 102 connected by the storage networkconnection 112. Further, in this embodiment, the host device 110 canexchange data with the network module 122 in the node 118 within thedata storage system 104 (e.g., which may be remote from the data storagesystem 102). The node 118 can forward the data to the data storagedevice 130 using the disk module 126, thereby accessing volume 1328associated with the data storage device 130.

It may be appreciated that aggregate inline deduplication with volumegranular encryption may be implemented within the clustered networkenvironment 100. It may be appreciated that aggregate inlinededuplication with volume granular encryption may be implemented forand/or between any type of computing environment, and may betransferrable between physical devices (e.g., node 116, node 118, adesktop computer, a tablet, a laptop, a wearable device, a mobiledevice, a storage device, a server, etc.) and/or a cloud computingenvironment (e.g., remote to the clustered network environment 100).

FIG. 2 is an illustrative example of a data storage system 200 (e.g.,102, 104 in FIG. 1 ), providing further detail of an embodiment ofcomponents that may implement one or more of the techniques and/orsystems described herein. The data storage system 200 comprises a node202 (e.g., nodes 116, 118 in FIG. 1 ), and a data storage device 234(e.g., data storage devices 128, 130 in FIG. 1 ). The node 202 may be ageneral purpose computer, for example, or some other computing deviceparticularly configured to operate as a storage server. A host device205 (e.g., 108, 110 in FIG. 1 ) can be connected to the node 202 over anetwork 216, for example, to provide access to files and/or other datastored on the data storage device 234. In an example, the node 202comprises a storage controller that provides client devices, such as thehost device 205, with access to data stored within data storage device234.

The data storage device 234 can comprise mass storage devices, such asdisks 224, 226, 228 of a disk array 218, 220, 222. It will beappreciated that the techniques and systems, described herein, are notlimited by the example embodiment. For example, disks 224, 226, 228 maycomprise any type of mass storage devices, including but not limited tomagnetic disk drives, flash memory, and any other similar media adaptedto store information, including, for example, data (D) and/or parity (P)information.

The node 202 comprises one or more processors 204, a memory 206, anetwork adapter 210, a cluster access adapter 212, and a storage adapter214 interconnected by a system bus 242. The data storage system 200 alsoincludes an operating system 208 installed in the memory 206 of the node202 that can, for example, implement a Redundant Array of Independent(or Inexpensive) Disks (RAID) optimization technique to optimize areconstruction process of data of a failed disk in an array.

The operating system 208 can also manage communications for the datastorage system, and communications between other data storage systemsthat may be in a clustered network, such as attached to a cluster fabric215 (e.g., 106 in FIG. 1 ). Thus, the node 202, such as a networkstorage controller, can respond to host device requests to manage dataon the data storage device 234 (e.g., or additional clustered devices)in accordance with these host device requests. The operating system 208can often establish one or more file systems on the data storage system200, where a file system can include software code and data structuresthat implement a persistent hierarchical namespace of files anddirectories, for example. As an example, when a new data storage device(not shown) is added to a clustered network system, the operating system208 is informed where, in an existing directory tree, new filesassociated with the new data storage device are to be stored. This isoften referred to as “mounting” a file system.

In the example data storage system 200, memory 206 can include storagelocations that are addressable by the processors 204 and adapters 210,212, 214 for storing related software application code and datastructures. The processors 204 and adapters 210, 212, 214 may, forexample, include processing elements and/or logic circuitry configuredto execute the software code and manipulate the data structures. Theoperating system 208, portions of which are typically resident in thememory 206 and executed by the processing elements, functionallyorganizes the storage system by, among other things, invoking storageoperations in support of a file service implemented by the storagesystem. It will be apparent to those skilled in the art that otherprocessing and memory mechanisms, including various computer readablemedia, may be used for storing and/or executing application instructionspertaining to the techniques described herein. For example, theoperating system can also utilize one or more control files (not shown)to aid in the provisioning of virtual machines.

The network adapter 210 includes the mechanical, electrical andsignaling circuitry needed to connect the data storage system 200 to ahost device 205 over a network 216, which may comprise, among otherthings, a point-to-point connection or a shared medium, such as a localarea network. The host device 205 (e.g., 108, 110 of FIG. 1 ) may be ageneral-purpose computer configured to execute applications. Asdescribed above, the host device 205 may interact with the data storagesystem 200 in accordance with a client/host model of informationdelivery.

The storage adapter 214 cooperates with the operating system 208executing on the node 202 to access information requested by the hostdevice 205 (e.g., access data on a storage device managed by a networkstorage controller). The information may be stored on any type ofattached array of writeable media such as magnetic disk drives, flashmemory, and/or any other similar media adapted to store information. Inthe example data storage system 200, the information can be stored indata blocks on the disks 224, 226, 228. The storage adapter 214 caninclude input/output (I/O) interface circuitry that couples to the disksover an I/O interconnect arrangement, such as a storage area network(SAN) protocol (e.g., Small Computer System Interface (SCSI), iSCSI,hyperSCSI, Fiber Channel Protocol (FCP)). The information is retrievedby the storage adapter 214 and, if necessary, processed by the one ormore processors 204 (or the storage adapter 214 itself) prior to beingforwarded over the system bus 242 to the network adapter 210 (and/or thecluster access adapter 212 if sending to another node in the cluster)where the information is formatted into a data packet and returned tothe host device 205 over the network 216 (and/or returned to anothernode attached to the cluster over the cluster fabric 215).

In an embodiment, storage of information on disk arrays 218, 220, 222can be implemented as one or more storage volumes 230, 232 that arecomprised of a cluster of disks 224, 226, 228 defining an overalllogical arrangement of disk space. The disks 224, 226, 228 that compriseone or more volumes are typically organized as one or more groups ofRAIDs. As an example, volume 230 comprises an aggregate of disk arrays218 and 220, which comprise the cluster of disks 224 and 226.

In an embodiment, to facilitate access to disks 224, 226, 228, theoperating system 208 may implement a file system (e.g., write anywherefile system) that logically organizes the information as a hierarchicalstructure of directories and files on the disks. In this embodiment,respective files may be implemented as a set of disk blocks configuredto store information, whereas directories may be implemented asspecially formatted files in which information about other files anddirectories are stored.

Whatever the underlying physical configuration within this data storagesystem 200, data can be stored as files within physical and/or virtualvolumes, which can be associated with respective volume identifiers,such as file system identifiers (FSIDs), which can be 32-bits in lengthin one example.

A physical volume corresponds to at least a portion of physical storagedevices whose address, addressable space, location, etc. doesn't change,such as at least some of one or more data storage devices 234 (e.g., aRedundant Array of Independent (or Inexpensive) Disks (RAID system)).Typically the location of the physical volume doesn't change in that the(range of) address(es) used to access it generally remains constant.

A virtual volume, in contrast, is stored over an aggregate of disparateportions of different physical storage devices. The virtual volume maybe a collection of different available portions of different physicalstorage device locations, such as some available space from each of thedisks 224, 226, and/or 228. It will be appreciated that since a virtualvolume is not “tied” to any one particular storage device, a virtualvolume can be said to include a layer of abstraction or virtualization,which allows it to be resized and/or flexible in some regards.

Further, a virtual volume can include one or more logical unit numbers(LUNs) 238, directories 236, Qtrees 235, and files 240. Among otherthings, these features, but more particularly LUNS, allow the disparatememory locations within which data is stored to be identified, forexample, and grouped as data storage unit. As such, the LUNs 238 may becharacterized as constituting a virtual disk or drive upon which datawithin the virtual volume is stored within the aggregate. For example,LUNs are often referred to as virtual drives, such that they emulate ahard drive from a general purpose computer, while they actually comprisedata blocks stored in various parts of a volume.

In an embodiment, one or more data storage devices 234 can have one ormore physical ports, wherein each physical port can be assigned a targetaddress (e.g., SCSI target address). To represent respective volumesstored on a data storage device, a target address on the data storagedevice can be used to identify one or more LUNs 238. Thus, for example,when the node 202 connects to a volume 230, 232 through the storageadapter 214, a connection between the node 202 and the one or more LUNs238 underlying the volume is created.

In an embodiment, respective target addresses can identify multipleLUNs, such that a target address can represent multiple volumes. The I/Ointerface, which can be implemented as circuitry and/or software in thestorage adapter 214 or as executable code residing in memory 206 andexecuted by the processors 204, for example, can connect to volume 230by using one or more addresses that identify the one or more LUNs 238.

It may be appreciated that aggregate inline deduplication with volumegranular encryption may be implemented for the data storage system 200.It may be appreciated that managing objects within an object store maybe implemented for and/or between any type of computing environment, andmay be transferrable between physical devices (e.g., node 202, hostdevice 205, a desktop computer, a tablet, a laptop, a wearable device, amobile device, a storage device, a server, etc.) and/or a cloudcomputing environment (e.g., remote to the node 202 and/or the hostdevice 205).

One embodiment of aggregate inline deduplication with volume granularencryption is illustrated by an exemplary method 300 of FIG. 3 andfurther described in conjunction with system 400 of FIGS. 4A-4D. Astorage environment 406 provides tenants with access to services andcomputing resources, such as for application execution and hosting,storage services, etc. For example, a first tenant may connect to thestorage environment 406 using a first tenant device 402 (e.g., a laptop,a computer, a wearable device, a mobile device, etc.). The storageenvironment 406 may assign a first volume 408 to the first tenant forstoring data of the first tenant. A second tenant may connect to thestorage environment 406 using a second tenant device 404. The storageenvironment 406 may assign a second volume 410 to the second tenant forstoring data of the second tenant. In this way, the storage environment406 can isolate data of tenants by using different volumes assigned toparticular tenants.

In order to provide data security and privacy, data is encrypted usingexclusive encryption keys and shared encryption keys that are assignedper volume/per tenant. For example, a first exclusive encryption key isassigned to the first volume 408 for encrypting data exclusive to thefirst volume 408 (e.g., data that is not shared with another volume).Only the first tenant is provided with access to the first exclusive key(e.g., only storage services provided by the storage environment 406 forthe first tenant are able to access the first exclusive key forproviding the first tenant with access to the exclusive data within thefirst volume 408). A first shared encryption key is assigned to thefirst volume 408 for encrypting data shared between the first volume 408and one or more additional volumes of the storage environment 406, suchas the second volume 410. The first shared encryption key is madeavailable to tenants of the storage environment 406, such as storageservices of the storage environment 406 providing the second tenant withaccess to data within the second volume 410. As will be subsequentlydiscussed in further detail, shared data within the first volume 408 maybe referenced by the second volume 410 due to inline deduplication 416,and thus the first shared encryption key of the first volume 408 can beused by the second volume 410 to access the shared data. In this way,data exclusive to the first volume 408 is encrypted and stored withinthe first volume 408 using the first exclusive encryption key. Data ofthe first volume 408 that is shared with other volumes is encrypted andstored within the first volume 408 using the first shared encryptionkey.

A second exclusive encryption key is assigned to the second volume 410for encrypting data exclusive to the second volume 410 (e.g., data thatis not shared with another volume). Only the second tenant is providedwith access to the second exclusive key (e.g., only storage servicesprovided by the storage environment 406 for the second tenant are ableto access the second exclusive key for providing the second tenant withaccess to the exclusive data within the second volume 410). A secondshared encryption key is assigned to the second volume 410 forencrypting data shared between the second volume 410 and one or moreadditional volumes of the storage environment 406, such as the firstvolume 408. The second shared encryption key is made available totenants of the storage environment 406, such as storage services of thestorage environment 406 providing the first tenant with access to datawithin the first volume 408. As will be subsequently discussed infurther detail, shared data within the second volume 410 may bereferenced by the first volume 408 due to inline deduplication 416, andthus the second shared encryption key of the second volume 410 can beused by the first volume 408 to access the shared data. In this way,data exclusive to the second volume 410 is encrypted and stored withinthe second volume 410 using the second exclusive encryption key. Data ofthe second volume 410 that is shared with other volumes is encrypted andstored within the second volume 410 using the second shared encryptionkey.

Exclusive encryption keys may be maintained within a tenant server 412of the storage environment. The tenant server 412 is configured toprovide tenants (e.g., a storage service of the storage environment 406executing on behalf of a particular tenant) with access to theirexclusive encryption keys, and to exclude tenants from access exclusiveencryption keys of other tenants. For example, the tenant server 412allows the first tenant to access the first exclusive encryption key butnot the second exclusive encryption key of the second tenant. Thus, thefirst tenant cannot access data within the second volume 410 that isexclusive to the second tenant because the first tenant cannot decryptthe data without the second exclusive encryption key. Similarly, thetenant server 412 allows the second tenant to access the secondexclusive encryption key but not the first exclusive encryption key ofthe first tenant. Thus, the second tenant cannot access data within thefirst volume 408 that is exclusive to the first tenant because thesecond tenant cannot decrypt the data without the second exclusiveencryption key.

Shared encryption keys may be maintained within an admin server 414 ofthe storage environment 406. The admin server 414 may be configured toprovide tenants (e.g., a storage service of the storage environment 406executing on behalf of a particular tenant) with access to the sharedencryption keys. For example, the first tenant can access the firstshared encryption key for decrypting and accessing shared data withinthe first volume 408 owned by the first tenant. The first tenant canaccess the second shared encryption key for decrypting and accessingshared data within the second volume 410 owned by the second tenant. Thesecond tenant can access the first shared encryption key for decryptingand accessing shared data within the first volume 408 owned by the firsttenant. The second tenant can access the second shared encryption keyfor decrypting and accessing shared data within the second volume 410owned by the second tenant.

Because tenants (e.g., a storage service of the storage environment 406executing on behalf of a particular tenant) have access to sharedencryption keys of other tenants, inline deduplication 416 can beperformed at an aggregate level across multiple volumes owned bydifferent tenants. Aggregate inline deduplication can be performed toimprove storage efficiency of the storage environment 406 whilemaintaining an acceptable level of data security and privacy becauseexclusive data cannot be accessed by other tenants due to beingencrypted with exclusive encryption keys accessible only to tenantsowning such exclusive encryption keys.

Inline deduplication 416 is performed upon data before the data isstored to storage devices, such as before being stored into the firstvolume 408, the second volume 410, or other volumes. Inlinededuplication 416 may receive an incoming operation that is to writedata to the first volume 408. Inline deduplication 416 will calculate afingerprint, such as a hash, of the data to be written by the incomingoperation to the first volume 408. Inline deduplication 416 will comparethe fingerprint to fingerprints of a fingerprint store 422 comprisingfingerprints of data already stored within the storage environment 406.If there is no matching fingerprint within the fingerprint store 422 fordata to be written to the first volume 408, then the data is not alreadystored within the storage environment 406. Thus, the data is encryptedusing the first exclusive encryption key and is stored within the firstvolume 408. If there is a matching fingerprint within the fingerprintstore 422 data, then the data is already stored within the storageenvironment 406. Thus, the data will not be redundantly stored into thefirst volume 408. Instead, a pointer referencing the already stored datawill be stored into the first volume 408. In this way, deduplicated datafor storage within the storage environment 406 is received, at 302.

A reference count structure 418 is maintained with mappings between datablock identifiers of data blocks within the storage environment 406 andvolumes referencing the data block identifiers. If a data blockidentifier of a data block of data is mapped to (referenced by) morethan one volume, then the data is shared data shared between multiplevolumes. If the data block identifier is a mapped to only one volume,then the data is exclusive data that is exclusive to just that onevolume. In this way, the reference count structure 418 can be used totrack and identify shared data and exclusive data.

At 304, data of the deduplicated data that is exclusive to (unique to)the first volume 408 (e.g., data identified by inline deduplication 416as not already being stored within the storage environment 406) isencrypted and stored 419 into the first volume 408 using the firstexclusive encryption key available to the first volume 408 butinaccessible to other volumes/tenants (e.g., inaccessible to storageservices executing on behalf of other tenants that are blocked fromaccess the first exclusive encryption key by the tenant server 412), asillustrated by FIG. 4A.

At 306, data of the deduplicated data that is not unique to (notexclusive to) the first volume 408 (e.g., data identified by inlinededuplication 416 as already being stored within the second volume 410)is encrypted and stored 421 using a shared encryption key available toother volumes/tenants, as illustrated by FIG. 4B. In particular, if thedata is already stored within the second volume 410 and is encryptedusing the second shared encryption key available to the first volume408/tenant, then merely a reference to that data is stored within thefirst volume 408. Thus, the first volume 410 can use the second sharedencryption key and the reference to access the data within the secondvolume 410. However, if that data is encrypted using the secondexclusive encryption key available only to the second tenant (e.g., thisis the first instance where the data will be shared), then the data isdecrypted using the second exclusive encryption key and is re-encryptedusing the second shared encryption key available to the first volume408/tenant. The reference to the re-encrypted data of the second volume410 is stored into the first volume 408. Thus, the first volume 410 cannow use the second shared encryption key and the reference to access thedata within the second volume 410. In this way, exclusive data encryptedusing an exclusive encryption key will be decrypted and re-encryptedusing a shared encryption key based upon the exclusive data now beingshared between multiple volumes of different tenants.

FIG. 4C illustrates an example of accessing shared data. For example, afirst data block within the first volume 408 comprises data that isinitially exclusive/unique to the first volume 408, and thus isencrypted with the first exclusive encryption key. An entry is createdwithin the reference count structure 418 with a reference count of 1mapping a data block identifier of the first data block to the firstvolume 408. A fingerprint of the data is stored within the fingerprintstore 422.

Subsequently, the inline deduplication 416 evaluates an incomingoperation using the fingerprint store 422. The incoming operation may bea write operation from the second tenant device 404 to write data intothe second volume 410. The inline deduplication 416 may determine that afingerprint of the data to be written to the second volume 410 matchesthe fingerprint of the data stored within the first data block of thefirst volume 408 (e.g., the fingerprint of the data to be written to thesecond volume 410 is found within the fingerprint store 422). Thus, thedata of the incoming operation is duplicate data of the data storedwithin the first data block of the first volume 408. Accordingly, thefirst exclusive encryption key of the first volume 408 is used todecrypt the first data block. The first data block is then encryptedusing the first shared data block of the first volume 408. As part ofthe inline deduplication 416, a pointer referencing the first data blockwithin the first volume 408 is stored into the second volume 410 inplace of the duplicate data of the incoming operation. The pointer andthe first shared encryption key can be used by the second volume 410 toaccess 423 the shared data within the first data block of the firstvolume 408. The reference count structure 418 is updated with areference count of 2 to map the data block identifier to the firstvolume 408 and the second volume 410. In this way, aggregate inlinededuplication and volume granular encryption are implemented for thestorage environment 406.

In an embodiment, keys within the tenant server 412 and/or the adminserver 414 can be rekeyed (changed). For example, the first exclusiveencryption key of the first volume 408 can be rekeyed to a new exclusiveencryption key available only to the first volume 408. In particular,the data unique/exclusive to the first volume 408 is decrypted using thefirst exclusive encryption key. That data is then encrypted using thenew exclusive encryption key. The first exclusive encryption key is thendeleted from the tenant server 412 and the new exclusive encryption keyis stored into the tenant server 412 for exclusive access by the firsttenant. Similarly, the first shared encryption key of the first volume408 can be rekeyed to a new shared encryption key. In particular, shareddata within the first volume 408 is decrypted using the first sharedencryption key. The shared data is then encrypted using the new sharedencryption key. The first shared encryption key is then deleted from theadmin server 414 and the new shared encryption key is stored into theadmin server 414 for access by tenants.

In an embodiment, a volume can be deleted such that a different volumewill be used as a donor volume for sharing shared data previously storedby the deleted volume, as illustrated in FIG. 4D. A donor volume is avolume comprising shared data that is referenced by recipient volumes.If the volume comprises shared data then the volume is a donor volumefor that particular data, and if the volume references data of othervolumes then the volume is a recipient volume for that data. In anexample, a delete command is received from the first tenant device 402to delete the first volume 408 of the first tenant. Accordingly, thefirst volume 408 is deleted 424 by deleting data exclusive to the firstvolume 408 (e.g., data not shared by any other volume) and by deletingthe first exclusive encryption key of the first volume 408. However,shared data within the first volume 408 and the first shared encryptionkey of the first volume 408 is not yet deleted, but is designated/markedfor subsequent deletion.

References/pointers within the first volume 408 to data within othervolumes may be deleted from the first volume 408. The fingerprint store422 and the reference count structure 418 may be updated to reflect thatthe first volume 408 has been deleted and no longer comprises exclusivedata or references/pointers to shared data within other volumes.

A scanner 420 is executed to identify and reassign the shared data ofthe deleted first volume 408 to a new donor volume, such as the secondvolume 410. The scanner 420 may use the reference count structure 418 toidentify the shared data based upon data block identifiers havingreference counts greater than 1 and thus being referenced by at leastone other volume than the first volume 408. The scanner 420 may decryptthe shared data within the deleted first volume 408 using the firstshared encryption key of the deleted first volume 408. The shared datamay be re-encrypted using the second shared encryption key of the secondvolume 410, such that the second volume 410 now comprises the shareddata. Once complete, the first shared encryption key is deleted. Thefingerprint store 422 and the reference count structure 418 may beupdated to reflect that the second volume 410 now comprises the shareddata and the shared data no longer being stored within the first volume408. In an embodiment, the scanner 420 may be configured to execute as abackground process having lower executing priority than storage servicesof the storage environment 406 so that the processing of incoming I/O isnot impacted by the scanner 420.

Still another embodiment involves a computer-readable medium 500comprising processor-executable instructions configured to implement oneor more of the techniques presented herein. An example embodiment of acomputer-readable medium or a computer-readable device that is devisedin these ways is illustrated in FIG. 5 , wherein the implementationcomprises a computer-readable medium 508, such as a compactdisc-recordable (CD-R), a digital versatile disc-recordable (DVD-R),flash drive, a platter of a hard disk drive, etc., on which is encodedcomputer-readable data 506. This computer-readable data 506, such asbinary data comprising at least one of a zero or a one, in turncomprises a processor-executable computer instructions 504 configured tooperate according to one or more of the principles set forth herein. Insome embodiments, the processor-executable computer instructions 504 areconfigured to perform a method 502, such as at least some of theexemplary method 300 of FIG. 3 , for example. In some embodiments, theprocessor-executable computer instructions 504 are configured toimplement a system, such as at least some of the exemplary system 400 ofFIGS. 4A-4D, for example. Many such computer-readable media arecontemplated to operate in accordance with the techniques presentedherein.

FIG. 6 is a diagram illustrating an example operating environment 600 inwhich an embodiment of the techniques described herein may beimplemented. In one example, the techniques described herein may beimplemented within a client device 628, such as a laptop, tablet,personal computer, mobile device, wearable device, etc. In anotherexample, the techniques described herein may be implemented within astorage controller 630, such as a node configured to manage the storageand access to data on behalf of the client device 628 and/or otherclient devices. In another example, the techniques described herein maybe implemented within a distributed computing platform 602 such as acloud computing environment (e.g., a cloud storage environment, amulti-tenant platform, etc.) configured to manage the storage and accessto data on behalf of the client device 628 and/or other client devices.

In yet another example, at least some of the techniques described hereinare implemented across one or more of the client device 628, the storagecontroller 630, and the distributed computing platform 602. For example,the client device 628 may transmit operations, such as data operationsto read data and write data and metadata operations (e.g., a create fileoperation, a rename directory operation, a resize operation, a setattribute operation, etc.), over a network 626 to the storage controller630 for implementation by the storage controller 630 upon storage. Thestorage controller 630 may store data associated with the operationswithin volumes or other data objects/structures hosted within locallyattached storage, remote storage hosted by other computing devicesaccessible over the network 626, storage provided by the distributedcomputing platform 602, etc. The storage controller 630 may replicatethe data and/or the operations to other computing devices so that one ormore replicas, such as a destination storage volume that is maintainedas a replica of a source storage volume, are maintained. Such replicascan be used for disaster recovery and failover.

The storage controller 630 may store the data or a portion thereofwithin storage hosted by the distributed computing platform 602 bytransmitting the data to the distributed computing platform 602. In oneexample, the storage controller 630 may locally store frequentlyaccessed data within locally attached storage. Less frequently accesseddata may be transmitted to the distributed computing platform 602 forstorage within a data storage tier 608. The data storage tier 608 maystore data within a service data store 620, and may store clientspecific data within client data stores assigned to such clients such asa client (1) data store 622 used to store data of a client (1) and aclient (N) data store 624 used to store data of a client (N). The datastores may be physical storage devices or may be defined as logicalstorage, such as a virtual volume, LUNs, or other logical organizationsof data that can be defined across one or more physical storage devices.In another example, the storage controller 630 transmits and stores allclient data to the distributed computing platform 602. In yet anotherexample, the client device 628 transmits and stores the data directly tothe distributed computing platform 602 without the use of the storagecontroller 630.

The management of storage and access to data can be performed by one ormore storage virtual machines (SMVs) or other storage applications thatprovide software as a service (SaaS) such as storage software services.In one example, an SVM may be hosted within the client device 628,within the storage controller 630, or within the distributed computingplatform 602 such as by the application server tier 606. In anotherexample, one or more SVMs may be hosted across one or more of the clientdevice 628, the storage controller 630, and the distributed computingplatform 602.

In one example of the distributed computing platform 602, one or moreSVMs may be hosted by the application server tier 606. For example, aserver (1) 616 is configured to host SVMs used to execute applicationssuch as storage applications that manage the storage of data of theclient (1) within the client (1) data store 622. Thus, an SVM executingon the server (1) 616 may receive data and/or operations from the clientdevice 628 and/or the storage controller 630 over the network 626. TheSVM executes a storage application to process the operations and/orstore the data within the client (1) data store 622. The SVM maytransmit a response back to the client device 628 and/or the storagecontroller 630 over the network 626, such as a success message or anerror message. In this way, the application server tier 606 may hostSVMs, services, and/or other storage applications using the server (1)616, the server (N) 618, etc.

A user interface tier 604 of the distributed computing platform 602 mayprovide the client device 628 and/or the storage controller 630 withaccess to user interfaces associated with the storage and access of dataand/or other services provided by the distributed computing platform602. In an example, a service user interface 610 may be accessible fromthe distributed computing platform 602 for accessing services subscribedto by clients and/or storage controllers, such as data replicationservices, application hosting services, data security services, humanresource services, warehouse tracking services, accounting services,etc. For example, client user interfaces may be provided tocorresponding clients, such as a client (1) user interface 612, a client(N) user interface 614, etc. The client (1) can access various servicesand resources subscribed to by the client (1) through the client (1)user interface 612, such as access to a web service, a developmentenvironment, a human resource application, a warehouse trackingapplication, and/or other services and resources provided by theapplication server tier 606, which may use data stored within the datastorage tier 608.

The client device 628 and/or the storage controller 630 may subscribe tocertain types and amounts of services and resources provided by thedistributed computing platform 602. For example, the client device 628may establish a subscription to have access to three virtual machines, acertain amount of storage, a certain type/amount of data redundancy, acertain type/amount of data security, certain service level agreements(SLAs) and service level objectives (SLOs), latency guarantees,bandwidth guarantees, access to execute or host certain applications,etc. Similarly, the storage controller 630 can establish a subscriptionto have access to certain services and resources of the distributedcomputing platform 602.

As shown, a variety of clients, such as the client device 628 and thestorage controller 630, incorporating and/or incorporated into a varietyof computing devices may communicate with the distributed computingplatform 602 through one or more networks, such as the network 626. Forexample, a client may incorporate and/or be incorporated into a clientapplication (e.g., software) implemented at least in part by one or moreof the computing devices.

Examples of suitable computing devices include personal computers,server computers, desktop computers, nodes, storage servers, storagecontrollers, laptop computers, notebook computers, tablet computers orpersonal digital assistants (PDAs), smart phones, cell phones, andconsumer electronic devices incorporating one or more computing devicecomponents, such as one or more electronic processors, microprocessors,central processing units (CPU), or controllers. Examples of suitablenetworks include networks utilizing wired and/or wireless communicationtechnologies and networks operating in accordance with any suitablenetworking and/or communication protocol (e.g., the Internet). In usecases involving the delivery of customer support services, the computingdevices noted represent the endpoint of the customer support deliveryprocess, i.e., the consumer's device.

The distributed computing platform 602, such as a multi-tenant businessdata processing platform or cloud computing environment, may includemultiple processing tiers, including the user interface tier 604, theapplication server tier 606, and a data storage tier 608. The userinterface tier 604 may maintain multiple user interfaces, includinggraphical user interfaces and/or web-based interfaces. The userinterfaces may include the service user interface 610 for a service toprovide access to applications and data for a client (e.g., a “tenant”)of the service, as well as one or more user interfaces that have beenspecialized/customized in accordance with user specific requirements,which may be accessed via one or more APIs.

The service user interface 610 may include components enabling a tenantto administer the tenant's participation in the functions andcapabilities provided by the distributed computing platform 602, such asaccessing data, causing execution of specific data processingoperations, etc. Each processing tier may be implemented with a set ofcomputers, virtualized computing environments such as a storage virtualmachine or storage virtual server, and/or computer components includingcomputer servers and processors, and may perform various functions,methods, processes, or operations as determined by the execution of asoftware application or set of instructions.

The data storage tier 608 may include one or more data stores, which mayinclude the service data store 620 and one or more client data stores.Each client data store may contain tenant-specific data that is used aspart of providing a range of tenant-specific business and storageservices or functions, including but not limited to ERP, CRM, eCommerce,Human Resources management, payroll, storage services, etc. Data storesmay be implemented with any suitable data storage technology, includingstructured query language (SQL) based relational database managementsystems (RDBMS), file systems hosted by operating systems, objectstorage, etc.

In accordance with one embodiment of the invention, the distributedcomputing platform 602 may be a multi-tenant and service platformoperated by an entity in order to provide multiple tenants with a set ofbusiness related applications, data storage, and functionality. Theseapplications and functionality may include ones that a business uses tomanage various aspects of its operations. For example, the applicationsand functionality may include providing web-based access to businessinformation systems, thereby allowing a user with a browser and anInternet or intranet connection to view, enter, process, or modifycertain types of business information or any other type of information.

In an embodiment, the described methods and/or their equivalents may beimplemented with computer executable instructions. Thus, in anembodiment, a non-transitory computer readable/storage medium isconfigured with stored computer executable instructions of analgorithm/executable application that when executed by a machine(s)cause the machine(s) (and/or associated components) to perform themethod. Example machines include but are not limited to a processor, acomputer, a server operating in a cloud computing system, a serverconfigured in a Software as a Service (SaaS) architecture, a smartphone, and so on). In an embodiment, a computing device is implementedwith one or more executable algorithms that are configured to performany of the disclosed methods.

It will be appreciated that processes, architectures and/or proceduresdescribed herein can be implemented in hardware, firmware and/orsoftware. It will also be appreciated that the provisions set forthherein may apply to any type of special-purpose computer (e.g., filehost, storage server and/or storage serving appliance) and/orgeneral-purpose computer, including a standalone computer or portionthereof, embodied as or including a storage system. Moreover, theteachings herein can be configured to a variety of storage systemarchitectures including, but not limited to, a network-attached storageenvironment and/or a storage area network and disk assembly directlyattached to a client or host computer. Storage system should thereforebe taken broadly to include such arrangements in addition to anysubsystems configured to perform a storage function and associated withother equipment or systems.

In some embodiments, methods described and/or illustrated in thisdisclosure may be realized in whole or in part on computer-readablemedia. Computer readable media can include processor-executableinstructions configured to implement one or more of the methodspresented herein, and may include any mechanism for storing this datathat can be thereafter read by a computer system. Examples of computerreadable media include (hard) drives (e.g., accessible via networkattached storage (NAS)), Storage Area Networks (SAN), volatile andnon-volatile memory, such as read-only memory (ROM), random-accessmemory (RAM), electrically erasable programmable read-only memory(EEPROM) and/or flash memory, compact disk read only memory (CD-ROM)s,CD-Rs, compact disk re-writeable (CD-RW)s, DVDs, cassettes, magnetictape, magnetic disk storage, optical or non-optical data storage devicesand/or any other medium which can be used to store data.

Although the subject matter has been described in language specific tostructural features or methodological acts, it is to be understood thatthe subject matter defined in the appended claims is not necessarilylimited to the specific features or acts described above. Rather, thespecific features and acts described above are disclosed as exampleforms of implementing at least some of the claims.

Various operations of embodiments are provided herein. The order inwhich some or all of the operations are described should not beconstrued to imply that these operations are necessarily orderdependent. Alternative ordering will be appreciated given the benefit ofthis description. Further, it will be understood that not all operationsare necessarily present in each embodiment provided herein. Also, itwill be understood that not all operations are necessary in someembodiments.

Furthermore, the claimed subject matter is implemented as a method,apparatus, or article of manufacture using standard application orengineering techniques to produce software, firmware, hardware, or anycombination thereof to control a computer to implement the disclosedsubject matter. The term “article of manufacture” as used herein isintended to encompass a computer application accessible from anycomputer-readable device, carrier, or media. Of course, manymodifications may be made to this configuration without departing fromthe scope or spirit of the claimed subject matter.

As used in this application, the terms “component”, “module,” “system”,“interface”, and the like are generally intended to refer to acomputer-related entity, either hardware, a combination of hardware andsoftware, software, or software in execution. For example, a componentincludes a process running on a processor, a processor, an object, anexecutable, a thread of execution, an application, or a computer. By wayof illustration, both an application running on a controller and thecontroller can be a component. One or more components residing within aprocess or thread of execution and a component may be localized on onecomputer or distributed between two or more computers.

Moreover, “exemplary” is used herein to mean serving as an example,instance, illustration, etc., and not necessarily as advantageous. Asused in this application, “or” is intended to mean an inclusive “or”rather than an exclusive “or”. In addition, “a” and “an” as used in thisapplication are generally be construed to mean “one or more” unlessspecified otherwise or clear from context to be directed to a singularform. Also, at least one of A and B and/or the like generally means A orB and/or both A and B. Furthermore, to the extent that “includes”,“having”, “has”, “with”, or variants thereof are used, such terms areintended to be inclusive in a manner similar to the term “comprising”.

Many modifications may be made to the instant disclosure withoutdeparting from the scope or spirit of the claimed subject matter. Unlessspecified otherwise, “first,” “second,” or the like are not intended toimply a temporal aspect, a spatial aspect, an ordering, etc. Rather,such terms are merely used as identifiers, names, etc. for features,elements, items, etc. For example, a first set of information and asecond set of information generally correspond to set of information Aand set of information B or two different or two identical sets ofinformation or the same set of information.

Also, although the disclosure has been shown and described with respectto one or more implementations, equivalent alterations and modificationswill occur to others skilled in the art based upon a reading andunderstanding of this specification and the annexed drawings. Thedisclosure includes all such modifications and alterations and islimited only by the scope of the following claims. In particular regardto the various functions performed by the above described components(e.g., elements, resources, etc.), the terms used to describe suchcomponents are intended to correspond, unless otherwise indicated, toany component which performs the specified function of the describedcomponent (e.g., that is functionally equivalent), even though notstructurally equivalent to the disclosed structure. In addition, while aparticular feature of the disclosure may have been disclosed withrespect to only one of several implementations, such feature may becombined with one or more other features of the other implementations asmay be desired and advantageous for any given or particular application.

What is claimed is:
 1. A method comprising: receiving deduplicated datafor storage within a storage environment comprising a first volume and asecond volume; encrypting and storing, into the first volume, first dataof the deduplicated data that is exclusive to the first volume using afirst exclusive encryption key available to the first volume andunavailable to the second volume; encrypting and storing, into the firstvolume, second data of the deduplicated data that is shared between thefirst volume and the second volume using a first shared encryption keyof the first volume available to the first volume and the second volume;and using, by the second volume, the first shared encryption key todecrypt data within the first volume shared with the second volume,wherein data exclusive to the first volume is encrypted and storedwithin the first volume using the first exclusive encryption key, andwherein data shared between the first volume and the second volume isencrypted and stored within the first volume using the first sharedencryption key.
 2. The method of claim 1, wherein data exclusive to thesecond volume is encrypted and stored within the second volume using asecond exclusive encryption key available to the second volume andunavailable to the first volume.
 3. The method of claim 1, wherein data,of the second volume, shared between the first volume and the secondvolume is encrypted and stored within the second volume using a secondshared encryption key of the second volume available to the first volumeand the second volume.
 4. The method of claim 1, comprising: determiningthat a first data block exclusive to the first volume is to be shared bya second data block of the second volume.
 5. The method of claim 4,comprising: decrypting the first data block using the first exclusiveencryption key and encrypting the first data block using the firstshared encryption key, wherein the first data block is shared with thesecond data block and is accessible to the second volume using the firstshared encryption key, and where an incoming data block is encryptedusing the second shared encryption key and a duplicate data block of theincoming data block is deleted from the first volume and replaced with apointer to the incoming data block.
 6. The method of claim 4,comprising: decrypting the first data block using the first exclusiveencryption key and encrypting the first data block using the firstshared encryption key, wherein the first data block is shared with thesecond data block and is accessible to the second volume using the firstshared encryption key.
 7. The method of claim 1, comprising: rekeyingthe first exclusive encryption key to a new exclusive encryption key,wherein data exclusive to the first volume is decrypted using the firstexclusive encryption key and re-encrypted using the new exclusiveencryption key.
 8. The method of claim 1, comprising: rekeying the firstshared encryption key to a new shared encryption key, wherein data ofthe first volume shared between the first volume and the second volumeis decrypted using the first shared encryption key and re-encryptedusing the new shared encryption key.
 9. The method of claim 1,comprising: deleting the first volume, wherein data exclusive to thefirst volume is deleted and the first exclusive encryption key isdeleted, and wherein shared data of the first volume shared between thefirst volume and the second volume and the first shared encryption keyis retained and marked for deletion.
 10. The method of claim 9,comprising: decrypting the shared data using the first shared encryptionkey and re-encrypting the shared data using a second shared encryptionkey of the second volume.
 11. The method of claim 10, comprising:deleting the first shared encryption key based upon the shared databeing re-encrypted and associated with the second volume.
 12. The methodof claim 11, comprising: executing a scanner to identify and re-encryptthe shared data as a background process having lower execution prioritythan storage services processing client operations.
 13. The method ofclaim 10, comprising: evaluating a reference count structure to identifythe shared data as data blocks referenced by multiple volumes, whereinthe reference count structure maps data block identifiers to volumesreferencing the data block identifiers.
 14. A non-transitory machinereadable medium comprising instructions for performing a method, whichwhen executed by a machine, causes the machine to: receive deduplicateddata for storage within a storage environment comprising a first volumeand a second volume; encrypt and store, into the first volume, firstdata of the deduplicated data that is exclusive to the first volumeusing a first exclusive encryption key available to the first volume andunavailable to the second volume; encrypt and store, into the firstvolume, second data of the deduplicated data that is shared between thefirst volume and the second volume using a first shared encryption keyof the first volume available to the first volume and the second volume;and rekey the first exclusive encryption key to a new exclusiveencryption key, wherein data exclusive to the first volume is decryptedusing the first exclusive encryption key and re-encrypted using the newexclusive encryption key, wherein data exclusive to the first volume isencrypted and stored within the first volume using the first exclusiveencryption key, and wherein data shared between the first volume and thesecond volume is encrypted and stored within the first volume using thefirst shared encryption key.
 15. The non-transitory machine readablemedium of claim 14, wherein the instructions cause the machine to:maintain exclusive encryption keys within a tenant server configured toprovide a tenant of the first volume with access to the first exclusiveencryption key and exclude other tenants from accessing the firstexclusive encryption key.
 16. The non-transitory machine readable mediumof claim 14, wherein the instructions cause the machine to: maintainshared encryption keys within an admin server configured to providetenants with access to the shared encryption keys.
 17. A computingdevice comprising: a memory comprising machine executable code forperforming a method; and a processor coupled to the memory, theprocessor configured to execute the machine executable code to cause theprocessor to: receive deduplicated data for storage within a storageenvironment comprising a first volume and a second volume; encrypt andstore, into the first volume, first data of the deduplicated data thatis exclusive to the first volume using a first exclusive encryption keyavailable to the first volume and unavailable to the second volume;encrypt and store, into the first volume, second data of thededuplicated data that is shared between the first volume and the secondvolume using a first shared encryption key of the first volume availableto the first volume and the second volume; and delete the first volume,wherein data exclusive to the first volume is deleted and the firstexclusive encryption key is deleted, wherein shared data of the firstvolume shared between the first volume and the second volume and thefirst shared encryption key is retained and marked for deletion, whereindata exclusive to the first volume is encrypted and stored within thefirst volume using the first exclusive encryption key, and wherein datashared between the first volume and the second volume is encrypted andstored within the first volume using the first shared encryption key.18. The computing device of claim 17, wherein the machine executablecode causes the processor to: perform deduplication using a fingerprintstore comprising fingerprints of data within the storage environment tocreate the deduplicated data.
 19. The computing device of claim 17,wherein the machine executable code causes the processor to: maintain areference count map mapping data block identifiers to volumesreferencing the data block identifiers.